The Federal Trade Commission has further delayed enforcement of the so-called Red Flags Rule for identity theft prevention until Dec. 31, while Congress considers legislation that would affect the scope of entities covered by the rule.
The Red Flags Rule is part of the Fair and Accurate Credit Transactions Act, which Congress passed in 2003. The rule requires financial institutions and creditors, including CPAs who bill clients, to develop and implement a written identity theft prevention program to protect customers personal information. The rule was originally intended to take effect on Nov. 1, 2008, but has been delayed three times by the FTC and was scheduled to take effect on June 1, 2010.
The American Institute of CPAs filed suit last November to exempt CPAs from the requirement, claiming that the FTC exceeded its statutory authority by extending the rule to encompass accountants. The U.S. District Court for the District of Columbia granted a delay in enforcement of the rule in March for members of the AICPA in public practice (see
The delay for CPAs was supposed to extend until 90 days after the U.S. Court of Appeals for the District of Columbia renders an opinion in a similar suit against the FTC on behalf of attorneys by the American Bar Association.
